The hacker took 7.3 crores over three months by manipulating the payment gateway company’s authorization procedure to verify 831 unsuccessful transactions.
The South East cybercrime police are looking for a hacker who stole 7.3 crores over three months by manipulating a payment gateway company’s authorization procedure to verify 831 unsuccessful transactions.
The theft was discovered while Razorpay Software Private Limited staff were auditing the transactions. They were unable to reconcile ₹7,38,36,192 in receipts with 831 transactions.
Razorpay Software Private Limited offers online payment services that enable Indian businesses to accept payments by credit card, debit card, net banking, and wallets.
On May 16, Abhishek Abhinav Anand, Razorpay Software Private Limited’s head of Legal Disputes and Law Enforcement, filed a complaint with the South East cyber crime police.
Based on internet transactions, the authorities are attempting to hunt down the hacker. An internal investigation conducted by Razorpay Software Private Limited discovered that someone, or people, interfered, changed, and manipulated the ‘authorisation and authentication process.’ As a result, Razorpay received bogus ‘approvals’ for the 831 unsuccessful transactions, resulting in a loss of ₹7,38,36,192.
Razorpay Software Private Limited furnished the authorities with information on the 831 unsuccessful transactions, including the date, time, and IP address, as well as other pertinent information.
A spokeswoman for Razorpay said in a statement, “Razorpay’s payment gateway meets industry requirements for data security.” An unauthorized actor(s) with malicious intent utilized the browser during a regular payment procedure to tamper with authorization data on a few merchant sites that were utilizing an earlier version of Razorpay’s integration owing to holes in their payment verification process.
The business undertook an examination of the platform to ensure that no additional systems, merchant data and payments, or end-users were impacted by this event.
To safeguard organizations from possible risks, the firm is ISO 27k, PCI-DSS, and SOC 2 certified, and it employs end-to-end transaction data security features, as well as robust authentication and authorisation mechanisms.
Razorpay has taken aggressive actions to permanently alleviate the issue and avoid future recurrence. The firm has already recovered a portion of the money and is actively working with the appropriate authorities to complete the process.”
As a result, businesses and organizations must prioritize data protection. Use acceptable data protection methods, such as backup and disaster recovery. There is a lot of new backup software available these days, such as VMware Backup, Hyper-V Backup, Xenserver Backup, and so on.